Setting Up a Guest WiFi with Captive Portal on MikroTik

Create a professional guest WiFi experience with captive portal authentication using MikroTik's built-in HotSpot feature. Perfect for cafes, hotels, and business environments.

---

Introduction: Why Use Captive Portal for Guest WiFi?

A captive portal provides a controlled access point for guest users, requiring authentication before granting internet access. MikroTik's HotSpot feature offers enterprise-grade captive portal capabilities without additional hardware costs.

Benefits of MikroTik HotSpot:

• Branding Opportunities: Custom login pages with your logo
• User Management: Time and data limits for guests
• Security: Isolate guest traffic from your main network
• Marketing: Capture user information or show advertisements
• Flexibility: Multiple authentication methods

Network Architecture Planning

Recommended Network Layout

Internet → MikroTik Router → Main Network (192.168.88.0/24)
                         → HotSpot Network (192.168.10.0/24)

Hardware Requirements

• Any MikroTik router with wireless capability
• Sufficient RAM for user sessions
• Adequate CPU for authentication processing

Initial HotSpot Configuration

Create HotSpot Interface

# Add IP address for HotSpot network
/ip address add address=192.168.10.1/24 interface=bridge-hotspot comment="HotSpot Network"

# Create HotSpot server
/ip hotspot add name=hotspot1 interface=bridge-hotspot address-pool=hotspot-pool disabled=no

Configure IP Pool

/ip pool add name=hotspot-pool ranges=192.168.10.100-192.168.10.200

Wireless Access Point Setup

Configure WiFi Interface

# Enable wireless interface
/interface wireless set wlan1 disabled=no

# Configure as access point
/interface wireless set wlan1 mode=ap-bridge ssid="YourBusiness-Guest" band=2ghz-b/g/n frequency=auto wireless-protocol=802.11

# Add to HotSpot bridge
/interface bridge port add interface=wlan1 bridge=bridge-hotspot

Security Profile for Guest WiFi

/interface wireless security-profiles add name=guest-profile authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa-pre-shared-key=YourGuestPassword wpa2-pre-shared-key=YourGuestPassword

HotSpot Server Configuration

Basic HotSpot Setup

/ip hotspot profile set [find] html-directory=hotspot1 login-by=http-chap dns-name=yourbusiness.wifi use-radius=no

User Management

# Create limited-time guest users
/ip hotspot user add name=guest1 password=temp123 profile=default disabled=no
/ip hotspot user add name=guest2 password=temp456 profile=default limit-uptime=1h disabled=no

# Create vendor/daily codes
/ip hotspot user add name=VENDOR-CODE password=vend123 profile=default limit-uptime=8h disabled=no

Authentication Methods

Method 1: Simple Password Authentication

# Single password for all guests
/ip hotspot user add name=guest password=Welcome123 profile=default disabled=no

Method 2: Unique User Accounts

# Create individual accounts
/ip hotspot user add name=guest-room101 password=room1012024 profile=default limit-uptime=24h disabled=no
/ip hotspot user add name=guest-room102 password=room1022024 profile=default limit-uptime=24h disabled=no

Method 3: Voucher System

# Generate voucher codes
/ip hotspot user add name=VC-A1B2C3 password=A1B2C3 profile=default limit-uptime=2h disabled=no
/ip hotspot user add name=VC-D4E5F6 password=D4E5F6 profile=default limit-uptime=4h disabled=no

Customizing the Login Page

Basic Branding

# Upload custom logo
/file print
# Upload your logo.jpg to files
/ip hotspot set hotspot1 html-directory=hotspot1

Custom HTML Page

Create custom login page in /file menu:

<!DOCTYPE html>
<html>
<head>
    <title>Welcome to Our WiFi</title>
    <style>
        body { font-family: Arial, sans-serif; text-align: center; }
        .login-box { margin: 50px auto; width: 300px; padding: 20px; border: 1px solid #ccc; }
    </style>
</head>
<body>
    <div class="login-box">
        <img src="logo.jpg" alt="Your Business" width="150">
        <h2>Free WiFi Access</h2>
        <form method="post" action="$login">
            <input type="text" name="username" placeholder="Username" required><br><br>
            <input type="password" name="password" placeholder="Password" required><br><br>
            <button type="submit">Connect</button>
        </form>
        <p>By connecting, you agree to our terms of service.</p>
    </div>
</body>
</html>

Security and Isolation

Firewall Rules for Guest Isolation

/ip firewall filter
# Block guest from accessing local network
add chain=forward action=drop in-interface=bridge-hotspot out-interface=bridge-trusted comment="Block guest from local network"

# Allow guests to internet only
add chain=forward action=accept in-interface=bridge-hotspot out-interface=WAN comment="Allow guest to internet"

# Rate limiting per user
add chain=forward action=drop in-interface=bridge-hotspot connection-limit=3,32 comment="Limit connections per user"

Bandwidth Management

# Limit guest bandwidth
/queue simple add name=guest-limit target=192.168.10.0/24 max-limit=5M/2M burst-limit=10M/5M burst-threshold=4M/2M burst-time=30s

Advanced Features

Splash Page with Terms Acceptance

/ip hotspot profile set [find] http-cookie-lifetime=1d

Session Timeouts and Data Limits

/ip hotspot user profile set default rate-limit=2M/1M keepalive-timeout=5m idle-timeout=15m status-autorefresh=1m

MAC Address Binding

/ip hotspot active add mac-address=AA:BB:CC:DD:EE:FF to-address=192.168.10.50 server=hotspot1

Monitoring and Management

View Active Sessions

/ip hotspot active print

User Statistics

/ip hotspot user print stats

HotSpot Monitoring

/ip hotspot monitor [find]

Troubleshooting Common Issues

Login Page Not Appearing

• Check IP pool availability
• Verify bridge configuration
• Confirm wireless client association

Authentication Failures

• Verify user account status
• Check password correctness
• Review session limits

Slow Internet for Guests

• Check bandwidth queue settings
• Monitor overall internet bandwidth
• Verify no background downloads

Best Practices for Production

Regular Maintenance

# Backup configuration regularly
/system backup save name=hotspot-config-$(/system clock get date)

# Clear expired sessions daily
/system scheduler add name="cleanup-hotspot" interval=1d on-event="/ip hotspot active remove [find]"

Security Hardening

# Block common attacks
/ip firewall filter add chain=input protocol=tcp dst-port=8291,22 src-address=192.168.10.0/24 action=drop comment="Block guest from management"

User Experience Optimization

• Keep login process simple
• Provide clear instructions
• Set reasonable time limits
• Offer support contact information

---

Follow for more networking guides: Connect on LinkedIn | Join our WhatsApp Channel

---